Response generation after distributed monitoring and evaluation of multiple devices

US 10,122,747 B2
Filed: 07/26/2017
Issued: 11/06/2018
Est. Priority Date: 12/06/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior;

at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;

at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy;

at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices;

at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data;

at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and

upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data is collected from a set of devices according to a data collection policy. The data is associated with device configuration, device state, or device behavior. A norm is established using the collected data. A different data collection policy is established based on the norm. Data is collected from a particular device according to the different data collection policy. The norm is compared to the data collected from the particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated.

424 Citations

20 Claims

1. A method comprising:
- at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior;
  
  at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy;
  
  at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices;
  
  at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data;
  
  at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and
  
  upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the action on the first device comprises:
    - blocking the first device from accessing a service.
  - 3. The method of claim 1, wherein the action on the first device comprises:
    - transmitting to the first device instructions to uninstall an application program on the first device.
  - 4. The method of claim 1, wherein the step of generating an alert further comprises:
    - transmitting a message to an administrator.
  - 5. The method of claim 1, wherein the observation data collected comprises:
    - a first set of observation data associated with an organization and collected from a first subset of the plurality of devices associated with the organization, anda second set of observation data collected from a second subset of the plurality of device not associated with the organization.

6. A method comprising:
- at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior;
  
  at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy;
  
  at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices;
  
  at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data;
  
  at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and
  
  upon the determination, generating alert information by the server, wherein the alert information when processed causes at least one of;
  
  the transmitting by the server of a message to an administrator;
  
  the blocking of the first device from accessing a service; and
  
  transmitting to the first device instructions to uninstall an application program on the first device.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein the observation data collected comprises:
    - a first set of observation data associated with an organization and collected from a first subset of the plurality of devices associated with the organization, anda second set of observation data collected from a second subset of the plurality of device not associated with the organization.
  - 8. The method of claim 7, wherein:
    - the first device is associated with the organization; and
      
      the determining the normal pattern of activity occurring on the plurality of devices by processing the collected observation data comprises processing the collected observation data from the first subset of the plurality of devices and not processing the collected observation data from the second subset of the plurality of devices to determine the normal pattern of activity.

9. A method comprising:
- at a server, monitoring a plurality of devices for observation data based on a first data monitoring policy, the monitored observation data including information associated with at least one of device configuration, device state, and device behavior;
  
  at the server, establishing a normal pattern of activity occurring on the plurality of devices based on the monitored observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, deriving a second data monitoring policy from the determined normal pattern of activity occurring on the plurality of devices, the second data monitoring policy being different from the first data monitoring policy;
  
  at the server, based on the derived second data monitoring policy, monitoring a first device of the plurality of devices for first device data;
  
  at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined by the monitored first device data;
  
  at the server, determining that the first pattern of activity associated with the first device of the plurality of devices is outside of a threshold deviation from the normal pattern of activity; and
  
  upon the determination, modifying the second data monitoring policy for monitoring of the first device by the server.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the step of modifying the second data monitoring policy comprises:
    - increasing the monitoring of the first device.
  - 11. The method of claim 9, wherein the step of modifying the second data monitoring policy comprises:
    - decreasing the monitoring of the first device.
  - 12. The method of claim 9, wherein the normal pattern of activity indicates that a first event occurs during a first context, and the step of determining that activity on the first device is outside the normal pattern of activity comprises:
    - determining that the first event occurred on the first device during a second context, different from the first context.
  - 13. The method of claim 9, wherein the step of determining that the first pattern of activity on the first device is outside the normal pattern of activity comprises:
    - receiving from the first device an indication that a shared library has been loaded on the first device from a memory card.
  - 14. The method of claim 9 comprising:
    - generating a model of characteristics for a specific application program on the plurality of device; and
      
      wherein the step of determining that the first pattern of activity on the first device is outside the normal pattern of activity comprises;
      
      determining that an application program, on the first device and identified as being the same as the specific application program, has a characteristic that is not included in the model of characteristics.
  - 15. The method of claim 9, wherein the step of monitoring the plurality of devices comprises:
    - monitoring a first subset of the plurality of devices for first events associated with an application program on the plurality of devices; and
      
      monitoring a second subset of the plurality of devices for second events associated with the application program,wherein the second subset of devices is not monitored for the first events, and the first subset of devices is not monitored for the second events.

16. A method comprising:
- at a server, distributing first policies to a plurality of devices, the plurality of devices includes a first device;
  
  at a server, receiving, from the plurality of devices, observation data responsive to the first policies for observation data, the received observation data including information associated with at least one of device configuration, device state, and device behavior;
  
  at the server, determining a normal pattern of activity occurring on the plurality of devices using the received observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, receiving first device data from a first device of the plurality of devices, the first device data being based on a second policy that has been derived from the normal pattern of activity occurring on the plurality of devices;
  
  at the server, determining a first pattern of activity occurring on the first device using the received first device data;
  
  at the server, comparing the normal pattern of activity with the first pattern of activity occurring on the first device;
  
  at the server, determining that the first pattern of activity deviates from the normal pattern of activity outside of a threshold value; and
  
  upon the determination, transmitting by the server, the second policy to the first device to replace the first policy distributed to the first device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the first policy specifies collection of a first level of detail, and the second policy specifies collection of a second level of detail greater than the first level of detail.
  - 18. The method of claim 16, wherein the first policy specifies sampling data associated with the first device at a first frequency, and the second policy specifies sampling the data at a second frequency, greater than the first frequency.
  - 19. The method of claim 16, wherein observation data responsive to the first policies has been anonymized to exclude personally identifiable information (PII).
  - 20. The method of claim 16, wherein a violation of the normal pattern of activity is detected when the normal pattern of activity specifies a first sequence of events, and the first pattern of activity specifies a second sequence of the events, different from the first sequence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Wyatt, Timothy Micheal, Buck, Brian James, Hering, John Gunther, Gupta, Amit, Abey, Alex Cameron
Primary Examiner(s)
Hasan, Syed H

Application Number

US15/660,864
Publication Number

US 20170339178A1
Time in Patent Office

468 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0754   by exceeding limits

G06F 11/0766   Error or fault reporting or...

G06F 11/3006   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/3072   where the reporting involve...

G06F 11/3409   for performance assessment

G06F 11/3452   Performance evaluation by s...

G06F 2201/81   Threshold

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 67/303   Terminal profiles

H04L 67/51   Discovery or management the...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Y02D 10/00   Energy efficient computing,...

Response generation after distributed monitoring and evaluation of multiple devices

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

424 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Response generation after distributed monitoring and evaluation of multiple devices

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

424 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links